The nasty SynoLocker ransom ware that has hit scores of Synology network attached storage devices appears to have exploited a flaw that was patched in December.
Earlier this week it was unclear exactly how SynoLocker cryptographic ransomware latched on to Synology devices. Users on Sunday reported finding a message from the crypto-ransomware operators demanding 0.6 Bitcoin -- or around $350 -- for the decryption key. Victims would need to install a Tor browser to access the hidden website where they could make the payment and receive the key.
According to Synology, user reports so far indicate that the attack only affects Synology NAS devices running version 4.3 of its DiskStation Manager (DSM) and not DSM 5.0, which included fixes released last December for two critical flaws that give unauthorised access via the Windows File Service and File Station.
The two vulnerabilities were assigned the identifiers CVE-2013-4475 and CVE-2013-6987.
- a weakness that allows remote attackers to bypass intended file restrictions and access data in unauthorized areas. (CVE-2013-4475)
- a weakness that allows remote attackers to access arbitrary data via a “..” (going back up one level) in the filepath in multiple Web API CGIs. (CVE-2013-6987)
"Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM, by exploiting a security vulnerability that was fixed in December, 2013, at which time Synology released patched software and notified users to update via various channels. The DSM 4.3-3810 Update 3 patch addressed two security vulnerabilities -- CVE-2013-4475 and CVE-2013-6987. At present, we have not observed this vulnerability in DSM 5.0," Synology said in a statement.
"Therefore we'd like to urge our users to update their Synology NAS. Furthermore, to prevent spread of the issue we have only enabled QuickConnect and Synology DDNS service to secure versions of DSM. You may find more information about the symptoms and our call to actions here."
The company also referred user to its article containing tips for hardening their Synology NAS.
The update from Synology could be good news for anyone running the older version of DSM who hasn't been affected, but it offers little comfort to victims of the attack who may never recover their files.
Some alleged victims claim to have received the decryption key after making a payment, while others say they had not received the key after payment.